consul/nairobi
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
Files
928312e2187e2369503a13056969fe5bff8e1483
nairobi/app/views/layouts/application.html.erb
Javi Martín 928312e218 Use sanitize in translations with links 
Sometimes we're interpolating a link inside a translation, and marking
the whole translations as HTML safe.

However, some translations added by admins to the database or through
crowdin are not entirely under our control.

Although AFAIK crowdin checks for potential cross-site scripting
attacks, it's a good practice to sanitize parts of a string potentially
out of our control before marking the string as HTML safe.
2019-10-08 18:46:21 +02:00

55 lines
2.0 KiB
Plaintext
Raw Blame History

<!DOCTYPE html>
<html lang="<%= I18n.locale %>" data-current-user-id="<%= current_user.try(:id) %>">
<head>
<%= render "layouts/common_head", default_title: setting["org_name"] %>
<%= render "layouts/tracking_data" %>
<%= render "layouts/meta_tags" %>
<%= content_for :canonical %>
<%= favicon_link_tag image_path_for("apple-touch-icon-200.png"),
rel: "icon apple-touch-icon",
sizes: "200x200",
type: "image/png" %>
<%= content_for :social_media_meta_tags %>
<%= setting["html.per_page_code_head"].try(:html_safe) %>
</head>
<body class="<%= yield (:body_class) %>">
<%= setting["html.per_page_code_body"].try(:html_safe) %>
<h1 class="show-for-sr"><%= setting["org_name"] %></h1>
<div class="wrapper <%= yield (:wrapper_class) %>">
<%= render "layouts/header", with_subnavigation: true %>
<% if browser.ie? && cookies["ie_alert_closed"] != "true" %>
<!--[if lt IE 9]>
<div data-alert class="callout primary ie-callout" data-closable>
<button class="close-button ie-callout-close-js"
aria-label="<%= t("application.close") %>" type="button" data-close>
<span aria-hidden="true">&times;</span>
</button>
<h2><%= t("layouts.application.ie_title") %></h2>
<p>
<%= sanitize(t("layouts.application.ie",
chrome: link_to(
t("layouts.application.chrome"), "https://www.google.com/chrome/browser/desktop/", title: t("shared.target_blank"), target: "_blank"),
firefox: link_to(
t("layouts.application.firefox"), "https://www.mozilla.org/firefox", title: t("shared.target_blank"), target: "_blank")
)) %>
</p>
</div>
<![endif]-->
<% end %>
<%= render "layouts/flash" %>
<%= yield %>
<div class="push"></div>
</div>
<div class="footer">
<%= render "layouts/footer" %>
</div>
</body>
</html>
Reference in New Issue View Git Blame Copy Permalink